CVE-2025-0898
Arbitrary File Read in Xpro Elementor Addons Pro WordPress Plugin
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xpro | elementor_addons_pro | to 1.4.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Xpro Elementor Addons - Pro plugin for WordPress has a vulnerability in all versions up to and including 1.4.7 that allows Arbitrary File Reading via the Draw SVG widget.
This means that an authenticated attacker with Contributor-level access or higher can read the contents of any file on the server.
Such files may contain sensitive information, making this a serious security issue.
How can this vulnerability impact me? :
This vulnerability can allow attackers with Contributor-level access to read arbitrary files on the server.
As a result, sensitive information stored in these files could be exposed, potentially leading to data breaches or further exploitation.
The CVSS score of 6.5 indicates a medium severity impact, primarily affecting confidentiality.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers with Contributor-level access and above to read arbitrary files on the server, which can contain sensitive information.
Exposure of sensitive information due to this arbitrary file reading could potentially lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require the protection of personal and sensitive data.
However, the provided information does not explicitly detail the impact on compliance with these standards.